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DETAILED ACTION 

1. Applicant's amendnnent filed on December 08, 2006 has been entered. Claims 
21-39 are pending. Claims 21, 28-31, 37 and 39 are also amended by the applicant. 

Claim Rejections - 35 USC § 1 03 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 21, 24-27, 28, 31 and 33-36 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Ueshima (US Patent No. 6,731,731) in view of Yu et al (US Patent 
No. 6,067,621) in view of Tabuki (US Patent No. 5,841,970) and in view of Le et al (US 

Pub. No. 2003/0105962). 

As per claim 21 . Ueshima teaches: , 

registering user's public, private, and the authentication client device identities with an 
authentication authority [Fig. 1, col. 12 lines 34-35, col. 10 lines 12-20]. 
Ueshima teaches the portable mobile communication terminal is used to generate one 
time password [col. 4 lines 1-6, col. 6 lines 8-9, col. 8 lines 27-32] and a plurality of 
authentication system units is presented on the network [col. 11 lines 39-42]. The 
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authentication system unit provides the authentication based on the one-time password 
[col. 12 lines 42-44, col. 15 lines 17-21. 31-36, Fig. 1]. 

Ueshima doesn't expressively mention conducting synchronization between the 
authentication authority and user's authentication client device. 
However, Yu teaches generating the one-time password [Fig. 2, 4] and conducting 
synchronization between the authentication authority and user's authentication client 
device [col. 5 lines 14-17, Fig. 1, col. 8 lines 32-35]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Yu with Ueshima, since one would have been 
motivated to provide an improved user authentication system [Yu, col. 3 lines 15-16]. 
Ueshima and Yu teach the one-time password [Ueshima, col. 8 lines 23-24, Yu Fig. 2]. 
Ueshima teaches providing the Web services to the user based on the result of 
authentication/verification process [col. 3 lines 51-53]. The authentication unit verifies 
the one-time password [Fig. 1, col. 12 lines 42-44, col. 8 lines 23-24]. 
Tabuki teaches: 

submitting the authentication data to a business application server; composing an user 
identity verification request message by an authentication handler which is a plug in 
software installed on the business application server; forwarding the identity verification 
request message to the authentication authority, verifying the user's identity by the 
authentication authority by checking the identity verification request message; 
composing identity verification response message and sending the authentication 
handler the response message by the authentication authority; receiving the Identity 
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verification response message by the authentication handler; informing the business 
application server about the verification status by the authentication handler, granting 
permission for the user to access protected resources by the business application 
server upon a positive user identity verification [Fig. 1, 2, col. 4 lines 10-37, col. 5 lines 
13-17. col. 2 lines 37-44]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Tabuki with Ueshima and Yu, since one would have 
been motivated to alleviate the burden on the application server [Tabuki. col. 2 lines 14- 
15]. 

Tabuki teaches forwarding the request to the authentication/verification server [Fig. 1, 
2]. Tabuki doesn't expressively mention an authentication gateway authority. 
However, Le teaches submitting the identity verification request message to an 
authentication gateway authority and fonwarding the identity verification request 
message from the gateway authority to the authentication authority [Fig. 1, 3, paragraph 
0035. paragraph 0040]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Le with Ueshima, Yu and Tabuki, since one would 
have been motivated to provide improved user authentication/verification system [Yu, 
coL 3 lines 14-15]. 

As per claim 24 , the rejection of claim 21 is incorporated and Le teaches: 
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the gateway authority (i.e. proxy) and the authentication authority to be separated and 
placed in the Internet accessible environment to achieve a scalable and distributable 
solution [Fig. 1]. 

As per claim 25 . the rejection of claim 21 is incorporated and Yu teaches: 
the authentication authority and the authentication client device contain means to 
generate one-time and non-predictable identity codes independently for user identity 
authentication or verification [Fig. 1, 2, col. 8 lines 32-35]. 

As per claim 26 . the rejection of claim 21 is incorporated and Ueshima teaches: 
user public identity, authentication client device identity, and user private identity [Fig. 1, 
col. 15 line 10, col. 10 lines 12-13]. 
Yu teaches: 

the synchronization is conducted by executing a set of math function comprising hash, 
power and modular math operators with the input of information [Fig. 2, 3, 6, col. 10 
lines 7-18, col. 8 lines 49-51]. 

As per claim 27 . the rejection of claim 21 is incorporated and Yu teaches: 
the authentication authority and the authentication client device contain means to 
generate confirmation codes to verify the success of the synchronization [col. 5 lines 14- 
37, col. 8 lines 49-57]. 
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As per claim 31 . it is a system claim corresponds to method claim 21 and is rejected for 
the same reason set forth in the rejection of claim 21 above. 

As per claim 33 . the rejection of claim 31 is. incorporated and further claim 33 is a 
system claim corresponds to method claim 24 and is rejected for the same reason set 

forth in the rejection of claim 24 above. 

As per claim 34 . the rejection of claim 31 is incorporated and further claim 34 is a 
system claim corresponds to method claim 25 and is rejected for the same reason set 
forth in the rejection of claim 25 above. 

As per claim 35 . the rejection of claim 31 is incorporated and further claim 35 is a 
system claim corresponds to method claim 26 and Is rejected for the same reason set 
forth in the rejection of claim 26 above. 

As per claim 36 . the rejection of claim 31 is incorporated and further claim 36 Is a 
system claim corresponds to method claim 27 and is rejected for the same reason set 
forth in the rejection of claim 27 above. 

3. Claims 22, 23, 32 and 38 are rejected under 35 USC 103 (a) for being 
unpatentable over Ueshima (US Patent No. 6,731,731) in view of Yu et al (US Patent 
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No. 6,067,621) in view of Tabuki (US Patent No. 5,841,970) and in view of Le et al (US 
Pub. No. 2003/0105962) and further in view of Brown et al (US Pub No. 2002/0169988). 

As per claim 22 . the rejection of claim 21 is incorporated and Brown teaches: 
establishing and publishing the authentication authority Web services to Web service 
industry's registries by the authentication authority [paragraph 0025, Fig. 1 "Service 
providers 1 1 host a network accessible software module. A service provider defines a 
service description for a Web service and publishes it to a service registry 13"]. 
Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Brown with Ueshima, Yu, Tabuki and Le, since one 
would have been motivated to use Web services because Web services offers the dual 
promise of simplicity and pervasiveness. Web services are based on the extensible 
Markup Language (XML) standard data format and data exchange mechanisms, which 
provide both flexibility and platform independence [Brown, page 1 paragraph 0002, 
00061 

As per claim 23 , the rejection of claim 22 is incorporated and further Brown teaches: 
using Web Services Description Language (WSDL) to publish said authentication 
authority Web services, and use Universal Description, Discovery and Integration 
(UDDI) standard to discover said authentication authority Web services published by 
other authorities [page 3 paragraph 0032, 0034 'The logical interface and the service 
implementation are described by the Web Services Description Language (WSDL). 
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WSDL is an XML vocabulary used to automate the details involved in communicating 
between Web services applications, Referring back to FIG. 1, the service can be 
publicized by being registered in a standard-format web registry 13. This registry 
makes it possible for other people or applications to find and use the service. For 
example, one can publish descriptive Information, such as taxonomy, ownership, 
business name, business type and so on, via a registry that adheres to the Uniform 
Description, Discovery and Integration (UDDI) specification or into some other XML 
registry"]. 

As per claim 32 , the rejection of claim 31 is incorporated and further claim 32 is a 
system claim corresponds to method claim 22 and is rejected for the same reason set 
forth in the rejection of claim 22 above. 

As per claim 38 . the rejection of claim 31 is incorporated and Brown teaches: 
the gate way authority, authentication authority means, said authentication handler 
means, and the authentication client means are arranged to use Simple Object Access 
Protocol (SOAP) to communicate, and use Hypertext Transport Protocol (HTTP) 
packets to transmit data over Secure Socket Layer (SSL) [page 3 paragraph 0043 "The 
SOAP security extension included with WebSphere Application Server 4.0 is intended to 
be a security architecture based on the SOAP Security specification, and on widely- 
accepted security technologies such as secure socket layer (SSL). When using HTTP 
as the transport mechanism, there are different ways to combine HTTP basic 
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authentication, SSL, and SOAP signatures to handle varying needs of security and 
authentication"]. 

4. Claim 28 is rejected under 35 (JSC 103 (a) for being unpatentable over Ueshima 
(US Patent No. 6,731.731) in view of Yu et al (US . Patent No. 6.067,621) in view of 
Tabuki (US Patent No. 5,841,970) and in view of Le et al (US Pub. No. 2003/0105962) 
and Ha et al (US Pub. 2003/01 52254). 

As per claim 28 . the rejection of claim 26 is incorporated and Ha teaches: 
the user private identity comprises the user's biometric identity and other shared secret 
information which doesn't have risk of being exposed over the Internet [Fig. 2A, 2C, 
paragraph 0030. 0015]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Ha with Ueshima, Yu, Tabuki and Le, since one 
would have been motivated to provide improved user authentication/verification system. 

5. Claims 29, 30, 37 and 39 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Ueshima (US Patent No. 6,731,731) in view of Yu et al (US Patent 
No. 6,067,621) in view of Tabuki (US Patent No. 5,841,970) d in view of Le et al (US 
Pub. No. 2003/0105962) and in view of Weiss (US Patent No. 5,657,388). 

As per claim 29 . the rejection of claim 21 is incorporated and Ueshima teaches: 
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the authentication client device comprising the use of portable, hand-held devices [coL4 
lines 1-4]. 

Weiss teaches the portable device (the authentication client device) to generate on-time 
and non-predictable identity codes locally and independently [Fig. 1, 2]. 
Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Weiss with Ueshima, Yu, Tabuki and Le, since one 
would have been motivated to control access to resources and improve security using 
the non-predictable one-time code [Weiss, col. 2 lines 36-39, col. 1 lines 15-17]. 

As per claim 30 . the rejection of claim 21 is incorporated and Tabuki teaches: 
the method can be used as an ID verification method for any business entity to verify 
the user identity over a channel selected from the group consisting of the Internet, 
phone and other communication means [col. 4 lines 44-47]. 

Weiss teaches verifying the user identity using one-time and non-predictable identity 
codes over a channel selected from the consisting of the Internet, phone and other 
communication means [Fig. 1, 2]. 

As per claim 37 . the rejection of claim 31 is incorporated and further claim 37 is a 
system claim corresponds to method claim 29 and is rejected for the same reason set 
forth in the rejection of claim 29 above. 
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As per claim 39 . the rejection of claim 31 is incorporated and further claim 39 is a 
system claim corresponds to method claim 30 and is rejected for the same reason set 
forth in the rejection of claim 30 above. 

Response to Argument 

6. Applicant's arguments filed December 08, 2006 have been fully considered but 
they are not persuasive. 

Regarding to the applicant's argument to claim 21, Examiner disagrees with 
applicant, since Ueshima teaches the portable mobile communication terminal 
generates one-time password and the authentication system unit provides the 
authentication based on the on-time password [col. 12 lines 42-44. col. 15 lines 17-21, 

31- 36 Fig. 1]. Further, Yu teaches the terminal generates the one-time password based 
on the random number and the secret information locally as shown in Fig 1, 2 [col. 3 
lines 24-28]. Further, Yu teaches conducting, synchronization between the 
authentication authority and the portable terminal [col. 5, lines 14-17 Fig. 1, col. 8 lines 

32- 35]. Therefore, the combination of Ueshima and Yu teaches the claim limitation 
"generating the one-time identity code from the authentication client device locally and 
independent". Applicant mentions that the applicants' synchronization is completely 
random. However, the limitation presented in the remark is not expressively stated in 
the claimed language. The Applicant is reminded that presented arguments in the 
remark is not considered unless stated clearly in the claim language. Further, applicant 
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argued that the Ueshima does not have any teaching about Web services as taught by 
Brown (2004/0199636), Examiner disagrees with the applicant, since the term "Web 
services" Is broad and doesn't expressively specify in the claim language. Based on the 
claim limitation presented In claim 21, Ueshima teaches the authentication process that 
provides the service to the user using the Web server over the Internet and therefore, it 
is a reasonable Interpretation of the term "Web Services". 

The Applicant is reminded that additional modification to clarify the claimed language is 
necessary for further consideration and distinction from the prior arts. 

Regarding the applicant's argument, "Even if the combination (Ueshima, Yu, 
Tabuki and Le) could be combined, it is inherent that by combining a large number (over 
three) references of prior art Is evidence of unobviousness. In response to applicant's 
argument, reliance on a large number of references in a rejection does not, without 
more, weigh against the obviousness of the claimed Invention. See In re Gorman, 933 
F.2d 982, 18 USPQ2d 1885 (Fed. Cir. 1991). 

Regarding to the applicant's argument to claim 24, Examiner disagrees with 
applicant, since Le teaches a plurality of authentication centers connected to the 
network. When an authentication request is generated by the mobile station, the request 
Is routed to the proxy at which a standard-protocol message is generated and 
communicated to the core network. Fields contained In the standard-protocol message 
identify the authentication center by its identity to permit routine of an authentication 
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request. In this case, the proxy forwards the authentication request to appropriate 
authentication center. Therefore, the combination teaches the claim limitation. 

Regarding to the applicants argument to claim 25, Examiner disagrees with 
applicant, since Yu teaches generating the one-time password based on the random 
number and the secret information. The terminal reads the secret key of the IC card and 
the random number of the random number memory and generates a cipher using a 
symmetric key cipher algorithm, a has function portion for converting the cipher 
generated in the symmetric key cipher portion, using one way has function, to prevent 
an inverse trace of the secret key [col. 4 lines 7-14] and therefore it is not predictable. 

Regarding to the applicant's argument to claim 26, that the applicants' invention 
uses a Diffie-Hellman type of algorithms. The Applicant is reminded that presented 
arguments in the remark is not considered unless stated expressively in the claim 
language. 

Regarding to the applicant's argument to claim 27, that Yu's system does not 
generate a confirmation code to alert the user about the success or failure of the 
synchronization. The Applicant is reminded that presented arguments in the remark is 
not considered unless stated expressively in the claim language. 
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Applicant's argunnents with respect to claims 29, 30, 37 and 39 have been 
considered but are moot in view of the new ground(s) of rejection. See rejection above. 

Regarding the applicant's argument to claim 22, "even if the combination 
(Ueshima, Yu, Tabuki, Le and Brown) can produce a workable solution to meet the 
requirement as described by claims 21 and 22, the combination of a large number (over 
three) references of prior art is evidence of unobviousness. In response to applicant's 
argument, reliance on a large number of references in a rejection does not, without 
more, weigh against the obviousness of the claimed invention. See In re Gorman, 933 
F.2d 982. 18 USPQ2d 1885 (Fed. Cir. 1991). 

Regarding the applicant's argument to claim 23 and 38, Examiner maintains that 
the combination is sufficient, since it would have been obvious to a person of ordinary 
skill in the art at the time the invention was made to combine Brown with Ueshima, Yu, 
Tabuki and Le, since one would have been motivated to use Web services because 
Web services offers the dual promise of simplicity and pervasiveness. Web services are 
based on the extensible Markup Language (XML) standard data format and data 
exchange mechanisms, which provide both flexibility and platform independence 
[Brown, page 1 paragraph 0002, 0006] and it teaches the claim limitation as above. 

Regarding to the applicant's argument to claim 25, Examiner disagrees with 
applicant and maintains that Ha teaches the amended claim limitation as above, since 
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Ha discloses that the authenticating server deletes the once-used OTT key so that 
another random OTT key can be used for a next authentication. Therefore, even if the 
OTT key is exposed in the course of authentication, false authentication s through 
hacking can be prevented because a newly renewed OTT key is used for the next 
authentication. Therefore, the combination teaches the claim limitation. 

The Applicant is reminded that additional modification to clarify the claimed 
language is necessary for further consideration and distinction from the prior arts. 

Conclusion 

7. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Nirav Patel whose telephone number is 571- 
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272- 5936. If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on 571-272-3859. The fax and phone 
numbers for the organization where this application or proceeding is assigned is 571- 

273- 8300. Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 571-272- 
2100. 



NBP 



7/18/07 




